weiphp /Application/Admin/Controller/PublicController.class.php Login SQL Injection Vul – .Little Hann

  • A+
所属分类:漏洞时代
摘要

1. 漏洞描述Relevant Link:2. 漏洞触发条件3. 漏洞代码分析/Application/Admin/Controller/PublicController.class.php

1. 漏洞描述

Relevant Link:

http://www.wooyun.org/bugs/wooyun-2016-0190216

2. 漏洞触发条件

0x1: POC

http://demo.weiphp.cn/index.php?s=/Admin/Public/login.html post:username[0]=admin'&username[1]=xxx*&password=123

weiphp /Application/Admin/Controller/PublicController.class.php Login SQL Injection Vul - .Little Hann

3. 漏洞代码分析

/Application/Admin/Controller/PublicController.class.php

public functionlogin($username= null,$password= null,$verify= null){     /*读取数据库中的配置*/$config=S('DB_CONFIG_DATA');     if(!$config){$config=D('Config')->lists();S('DB_CONFIG_DATA',$config);     }C($config); //添加配置     //这里进行了验证码验证,但是如果黑客通过HTTP抓取动态获取验证码,则可突破这层防御     if(IS_POST){          /*检测验证码 TODO:*/         if(C('WEB_SITE_VERIFY') && !check_verify($verify)){$this->error('验证码输入错误!');     }     /*登录用户*/$User=D('Common/User');      //未对$username, $password进行任何输入过滤,导致SQL注入     if($User->login($username,$password, 'admin_login')){ //登录用户     ..

4. 防御方法

/Application/Admin/Controller/PublicController.class.php

public functionlogin($username= null,$password= null,$verify= null){         /*读取数据库中的配置*/$config=S('DB_CONFIG_DATA');         if(!$config){$config=D('Config')->lists();S('DB_CONFIG_DATA',$config);         }C($config); //添加配置         if(IS_POST){              /*检测验证码 TODO:*/             if(C('WEB_SITE_VERIFY') && !check_verify($verify)){                 //$this->error('验证码输入错误!');             }             /*登录用户*/$User=D('Common/User');             /* sql inject protect */$username=mysql_real_escape_string($username);$password=mysql_real_escape_string($password);             /**/             if($User->login($username,$password, 'admin_login')){ //登录用户

发表评论

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen: